The MITRE ATT&CK Framework – A Sign of the TimesPOSTED BY LIZ BUSH
There was a time when we believed that we could prevent every attack. But despite a defense-in-depth strategy, as the years progressed we realized this wasn’t possible. Attacks are happening with increasing velocity and the average cost of a data breach continues to rise – from $3.62 million last year to $3.86 million in 2018, according to the latest Ponemon Study. What’s behind the rising costs? A huge factor is dwell time that has also risen to 197 days from 191 in 2017, not to mention it takes another 69 days to contain a threat, up from 66.
So now we subscribe to the belief that “it’s not a matter of if, but when and how we’ll be attacked.” With that, we realize we need to strengthen our ability to mitigate risk when breaches happen.
The security industry is placing greater emphasis on technologies, tools and processes that accelerate detection and response. One of the most interesting to come on the scene lately is the MITRE ATT&CK Frameworks™, a series of frameworks that dives deep into adversaries’ actions post-exploit so security analysts can use that information to their advantage.
The matrix includes 11 high-level tactics from initial access and execution all the way to exfiltration and command & control. At each step of the way, threat data informs this adversary model – real threat reports, not speculation – with the focus being on adversaries’ behavior, not the tools they use.
There are numerous use cases for the ATT&CK Matrix including:
- Gap analysis of current defenses to improve security posture
- Detection of heavily used techniques so analysts can prioritize what to look for
- Information sharing of observed behaviors on the network among security teams
- Tracking the evolution of tactics, techniques, and procedures (TTP) over time and building adversary profiles
- Adversary emulation for red team/blue team exercises
These use cases share one thing in common – they start with the threat. This makes the combination of ThreatQuotient and the ATT&CK framework a powerful match. ThreatQuotient has long believed that the ability to accelerate security operations starts with having a thorough and proactive understanding of the actors, campaigns and TTPs targeting you and your organization. We enable that deep and shared understanding across teams and technologies, so you can take action faster when an event occurs.
If you want to read about a specific example, check out our blog on threat hunting using ThreatQuotient and MITRE ATT&CK. Not only is it an example of how times have changed, but evidence that the path to more effective security starts with a threat-centric approach to security operations.